Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 765352 (CVE-2020-35459)

Summary: sys-cluster/crmsh: privilege escalation (CVE-2020-35459)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: trivial CC: cluster, vovan
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~1 [ebuild?]
Package list:
Runtime testing required: ---

Description John Helmert III gentoo-dev Security 2021-01-13 22:19:32 UTC
CVE-2020-35459 (

An issue was discovered in ClusterLabs crmsh through 4.2.1. Local attackers able to call "crm history" (when "crm" is run) were able to execute commands via shell code injection to the crm history commandline, potentially allowing escalation of privileges.

Maintainers, I can't find a patch applied to crmsh in Git, so please confirm
if a newer release fixes this issue. There's also a patch at URL which might
work if not.
Comment 1 Ultrabug gentoo-dev 2021-02-08 09:26:46 UTC
I dropped the older versions, only 4.2.1 is left in tree !

Comment 2 Ultrabug gentoo-dev 2021-02-08 09:29:18 UTC
hmm on a second read, it seems that "through" 4.2.1 means that it's also affected right?

There's no higher release yet.
Comment 3 Zdravko Spoljar 2021-02-10 02:31:37 UTC
 # crm node status        
Fatal error:
    No module named 'parallax'

in version 4.2.1. ?
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:24:32 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:33:03 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:40:53 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 17:49:04 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 18:04:59 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 18:13:17 UTC
Package list is empty or all packages have requested keywords.